5

I have an apache web server, ssl on that has a server certificate signed by a trusted official CA. Can I configure apache ssl to accept clients with valid certificates signed by CAs other than the CA that signed the server certificate ?

I'm getting an ssl_error_unknown_ca_alert even though I have configured other CAs in apache and the server started with no errors. I have created a file containing the CA certificate of the CA that signed the server certificate and the other CAs certificates of the CAs I want to trust. Then I pointed the SSLCertificateChainFile directive to this file.

I'm using Apache 2.2.22

Edit:

I'm using
SSLCertificateFile pointing to server certificate
SSLCertificateKeyFile poiting to server key
SSLCertificateChainFile pointing to the certificate chain that signed the server certificate
SSLCACertificateFile pointing to a file with all the certificate chains I want to be accepted

SSLVerifyClient require
SSLVerifyDepth  1

Apache recognizes them all in the log when I restart server and there's no errors. Yet, I still got a ssl_error_certificate_unknown_alert error. I also verified that the client certificate chain is present in the SSLCACertificateFile by text comparing in Meld.

cweiske
  • 781
  • 1
  • 13
  • 36
Nelson Teixeira
  • 225
  • 1
  • 3
  • 15

2 Answers2

4

Found out what's the problem. The certificate is signed by a chain of 3 CAs and I set SSLVerifyDepth to 1. Set it to 10 and it worked.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
Nelson Teixeira
  • 225
  • 1
  • 3
  • 15
1

I believe you want a directory containing the certs you want to use. You may need to use some SSL magic to create the symlinks for the certificates. See mod_ssl SSLCACertificatePath Proper Usage or What is the Best way to Handle Multiple Acceptable Client Certificate CAs for the required commands.

Community
  • 1
BillThor
  • 27,354
  • 3
  • 35
  • 69